Oculus Rift headsets ceased operating today, leaving owners with virtually no
way to enjoy their virtual reality. Thanks
TechCrunch for pointing the way to
this post that explains Oculus is working on the issue, which apparently
stems from an expired security certificate, making for some extremely
unhappy customers:

We are aware of and actively investigating an issue
impacting ability to access Rift software. Our teams apologize for any
inconvenience this may be causing you and appreciate your patience while we work
on a resolution. We'll share more updates here as we have them. Thanks.

Update:
Hey everyone - This is an issue with our software certification that we're still
actively working on. For security, we use a certificate to ensure that the
software you receive actually comes from Oculus. That certificate has expired,
and we're looking at a few different ways to resolve the issue. We’ll update you
with the latest info as available. We recommend you wait until we provide an
official fix. Thanks for your patience.

HorrorScope wrote on Mar 8, 2018, 20:54:I do get your point, but what is the Net Difference, if something happens where your software is rendered useless unless fixed by someone not you?

Oculus stated the intent of the security cert here. "For security, we use a certificate to ensure that the software you receive actually comes from Oculus." The Rift software is a hardware calibration and driver provider plus a storefront. It is is bound to the hardware owned by an individual. Oculus says, "The Oculus software [finds] friends and [discovers] the best VR apps, games, and experiences." They provided a $15 credit for the inconvenience. So the secure certificate is apparently used to create security for various transactions like downloading drivers and purchases with credit cards and Paypal.

The software itself might be considered a form of DRM, but the SSL underneath it is merely a security layer.

Armengar wrote on Mar 8, 2018, 15:19:i have a company code signing cert. it is used to sign my .net work. it has a finite 2 year lifespan. it is also set to update when there is 3 months left on it. these apps are web apps and connected to the internet. it would be commercial suicide for me to use a 2 year code signing cert for offline apps. there is no need to use them for offline apps either.

this also means the oculus will brick itself if the company decideds not to support itself....

That's a great point and I suspect owners will be asking them exactly this now. They can just stop shop and your'e done, very DRM'y'ish.

Kxmode wrote on Mar 8, 2018, 14:14:There are plenty of situations where expired SSL certificates block people from doing things. For example, on secure sites images, video, and other media will stop working and cannot be accessed. And e-commerce sites will no longer be able to run secure transactions (in a few cases, payment processors will out-right refuse to accept transactions from sites with expired certificates). In this situation, nobody would claim the website is using SSL as a form of DRM. There's only a break between server and client. This severing has prevented the software, and in the case of the Oculus, and hardware from working as expected. IOW put away the DRM tinfoil hats.

SSL !== DRMDRM !== SSL

They are not the same thing.

First, I don't really care all that much about DRM one way or the other because I've rarely ever been burnt. There were some worse than others and are long gone now.

I do get your point, but what is the Net Difference, if something happens where your software is rendered useless unless fixed by someone not you? This is even legal owned software, so it could be argued in this case it is even worse. The net effect is the same fear DRM'ers have been warning about for decades now.

i have a company code signing cert. it is used to sign my .net work. it has a finite 2 year lifespan. it is also set to update when there is 3 months left on it. these apps are web apps and connected to the internet. it would be commercial suicide for me to use a 2 year code signing cert for offline apps. there is no need to use them for offline apps either.

this also means the oculus will brick itself if the company decideds not to support itself....

Its not the cough that carries you off but the coffin they carry you off in.

"You say eether and I say eyether,You say neether and I say nyther;Eether, eyether, neether, nyther,Let's call the whole thing off!You like potato and I like potahto,You like tomato and I like tomahto;Potato, potahto, tomato, tomahto!Let's call the whole thing off!"

Don't put SSL and secure certificates in the same bucket with DRM. They are not the same.

In this case they are acting somewhat the same as in, you can't play X because something we have done to stop you. If SSL is only for what you say, they've overstepped its boundaries as this isn't a website nor ecommerce, they used it in a DRM'y way.

There are plenty of situations where expired SSL certificates block people from doing things. For example, on secure sites images, video, and other media will stop working and cannot be accessed. And e-commerce sites will no longer be able to run secure transactions (in a few cases, payment processors will out-right refuse to accept transactions from sites with expired certificates). In this situation, nobody would claim the website is using SSL as a form of DRM. There's only a break between server and client. This severing has prevented the software, and in the case of the Oculus, and hardware from working as expected. IOW put away the DRM tinfoil hats.

Flatline wrote on Mar 7, 2018, 18:54:But having a signed SSL certificate to even run your software *is* strange.

Not very strange. I find it odd when drivers aren't signed. Otherwise how can you really trust that they're from the developer? At any rate, this cert was around the CV1 days. The guy who wrote the software probably left and nobody noticed. Also changing a system clock can lead to other software problems, so make sure to change it back when done. I'm surprised they haven't fixed it yet though since signing a new executable shouldn't take very long.

No it's still strange. Because sure, I can buy using a cert to communicate with the mothership and make sure you have an uninterrupted connection. But apparently Oculus either needs to have an always-on connection to the corporate servers, or the cert is still required even when offline. I mean, you already have the software, you know it's legit (though a certificate doesn't ensure that you have an uncompromised piece of software, just that you weren't subjected to a Man in the Middle attack. You need checksums or some other method to verify that you have uncompromised software) it's on your computer, the cert doesn't do anything at that point. If it's checking the cert while offline and still preventing you from launching the game, this is crappy programming and basically enforced obsolescence.

Edit: Driver signatures are not SSL certificates. That's a different thing entirely.

Don't put SSL and secure certificates in the same bucket with DRM. They are not the same.

In this case they are acting somewhat the same as in, you can't play X because something we have done to stop you. If SSL is only for what you say, they've overstepped its boundaries as this isn't a website nor ecommerce, they used it in a DRM'y way.

I would agree SSL is not DRM. That said, the situation here appears to be you can't use your Rift without an active connection to their website. Basically, their DRM check failed because of an expired SSL certificate.

I have to admit this has happened to the company I work for more than once.But we typically ask our customers to provide their own certs to secure client - server communications so only the ones who use the default we ship with are affected.

Kxmode wrote on Mar 7, 2018, 21:07:It's technically not DRM. A secure cert is a way to create a safe connection between server and client without a VPN. For all online services like Steam, WOW, Overwatch, Battle.net and so forth there's an SSL Secure Cert behind the scenes. The fact that you never hear about it might speak volumes about the Oculus folks for letting theirs expire.

And they use that to only allow running software comming from their server. Hence DRM...

Kxmode wrote on Mar 7, 2018, 21:07:It's technically not DRM. A secure cert is a way to create a safe connection between server and client without a VPN. For all online services like Steam, WOW, Overwatch, Battle.net and so forth there's an SSL Secure Cert behind the scenes. The fact that you never hear about it might speak volumes about the Oculus folks for letting theirs expire.

And they use that to only allow running software comming from their server. Hence DRM...

As someone you used to deal with SSL certificate updates/replacements that is a pretty bad fail. Never seen a system which didn't allow for automated notifications ahead of time when certificates were going to expire...

Silgurdar wrote on Mar 7, 2018, 18:01:Why do you need active Internet connection to use the Oculus Rift? It's same as needing one to use a monitor...

DRM.

It's when their DRM is more important than reliability or privacy.

It's technically not DRM. A secure cert is a way to create a safe connection between server and client without a VPN. For all online services like Steam, WOW, Overwatch, Battle.net and so forth there's an SSL Secure Cert behind the scenes. The fact that you never hear about it might speak volumes about the Oculus folks for letting theirs expire.